Practice threat hunting vocabulary: IOC hunting, hypothesis-driven approaches, MITRE ATT&CK, lateral movement, and discovering unknown threats.
0 / 5 completed
1 / 5
A security analyst says 'The threat hunter proactively searches for IOCs.' What are IOCs?
Indicators of Compromise (IOCs) are forensic artifacts that suggest a system or network has been breached. Threat hunters proactively search for these — file hashes of known malware, C2 domain names, unusual registry keys — rather than waiting for alerts to fire.
2 / 5
Your threat hunting team uses 'hypothesis-driven hunting.' What does this approach involve?
Hypothesis-driven threat hunting starts with a specific hypothesis informed by threat intelligence and the MITRE ATT&CK framework — e.g., 'If an attacker gained initial access via phishing, they would likely use PowerShell for persistence.' Hunters then actively search for evidence of that specific technique.
3 / 5
A threat hunter says 'The MITRE ATT&CK framework guides the hunt.' What does MITRE ATT&CK provide?
MITRE ATT&CK is a globally accessible knowledge base that categorizes adversary behaviors into tactics (goals) and techniques (methods). Threat hunters use it to systematically search for specific attacker behaviors — e.g., 'Credential Dumping' (T1003) — rather than searching blindly.
4 / 5
A hunt report says 'We found evidence of lateral movement.' What is lateral movement in a security context?
Lateral movement refers to techniques attackers use after gaining initial access to move across the network — compromising additional systems, escalating privileges, and getting closer to high-value targets. Evidence of lateral movement (unusual authentication events, pass-the-hash artifacts) indicates an active or past breach.
5 / 5
Your hunt team reports 'The hunt revealed a previously unknown backdoor.' What type of threat did this discover?
This is a key value proposition of threat hunting — discovering threats that bypass automated detection. Known IOCs are found by automated tools; sophisticated attackers use custom tools that don't match signatures. Human-driven hunts find these unknown threats through behavioral analysis and anomaly detection.